#!/bin/sh
# --- Fail if any command fails.
set -e

ARCHIVE="@CMAKE_INSTALL_PREFIX@"

WORKDIR="${ARCHIVE}"
CLOUDCOMPAREAPP="${WORKDIR}/CloudCompare/CloudCompare.app"
PYTHONAPP="${CLOUDCOMPAREAPP}/Contents/Resources/python"
SIGNATURE="5XUC29Y5KK"

cat > "${WORKDIR}/hdapp.entitlements" <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.hardened-runtime</key>
    <true/>
</dict>
</plist>
EOF

cat > "${WORKDIR}/ccapp.entitlements" <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.hardened-runtime</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
</dict>
</plist>
EOF

cat > "${WORKDIR}/sbapp.entitlements" <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.files.user-selected.read-write</key>
    <true/>
    <key>com.apple.security.network.server</key>
    <true/>
</dict>
</plist>
EOF

cat > "${WORKDIR}/pythonapp.entitlements" <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.cs.allow-unsigned-executable-memory</key>
    <true/>
    <key>com.apple.security.cs.disable-library-validation</key>
    <true/>
</dict>
</plist>
EOF

cat > "${WORKDIR}/tool.entitlements" <<EOF
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>com.apple.security.app-sandbox</key>
    <true/>
    <key>com.apple.security.inherit</key>
    <true/>
</dict>
</plist>
EOF

# --- remove old signatures
echo "--- remove old signatures"
find "${CLOUDCOMPAREAPP}" -name "*.dylib" -exec codesign --remove-signature {} \;
find "${CLOUDCOMPAREAPP}" -name "*.so"    -exec codesign --remove-signature {} \;
codesign --remove-signature "${CLOUDCOMPAREAPP}/Contents/MacOS/CloudCompare"

# --- Sign the apps from the inside out.

isGenPython="@PLUGIN_PYTHON@"
if [ $isGenPython == "ON" ]
then
    # --- First, inside python app
    
    echo "--- signature dylib & so Python app --- : ${PYTHONAPP}"
    find "${PYTHONAPP}" -name "*.dylib" -exec codesign -s ${SIGNATURE} -f --timestamp {} \;
    find "${PYTHONAPP}" -name "*.so"    -exec codesign -s ${SIGNATURE} -f --timestamp {} \;
    
    echo "--- signature executables Python app ---"
    codesign --remove-signature "${CLOUDCOMPAREAPP}/Contents/Resources/python/bin/python"
    codesign -s ${SIGNATURE} -f --timestamp -i fr.openfields.CloudCompare -o runtime --entitlements "${WORKDIR}/pythonapp.entitlements" "${CLOUDCOMPAREAPP}/Contents/Resources/python/bin/python"

    # --- Then, inside CloudCompare app
    
    echo "--- signature dylib & so CloudCompare app ---"
    find "${CLOUDCOMPAREAPP}" -path "${PYTHONAPP}" -prune -o -name "*.dylib" -exec codesign -s ${SIGNATURE} -f --timestamp {} \;
    find "${CLOUDCOMPAREAPP}" -path "${PYTHONAPP}" -prune -o -name "*.so"    -exec codesign -s ${SIGNATURE} -f --timestamp {} \;
    
    echo "--- signature executables CloudCompare app ---"
    codesign -s ${SIGNATURE} -f --timestamp -i fr.openfields.CloudCompare -o runtime --entitlements "${WORKDIR}/ccapp.entitlements" "${CLOUDCOMPAREAPP}/Contents/MacOS/CloudCompare"
    
    echo "--- signature CloudCompare app ---"
    codesign -s ${SIGNATURE} -f --timestamp -i fr.openfields.CloudCompare -o runtime --entitlements "${WORKDIR}/ccapp.entitlements" "${CLOUDCOMPAREAPP}"
else
    # --- Inside CloudCompare app

    echo "--- signature dylib & so CloudCompare app ---"
    find "${CLOUDCOMPAREAPP}" -path "${PYTHONAPP}" -prune -o -name "*.dylib" -exec codesign -s ${SIGNATURE} -f --timestamp {} \;
    find "${CLOUDCOMPAREAPP}" -path "${PYTHONAPP}" -prune -o -name "*.so"    -exec codesign -s ${SIGNATURE} -f --timestamp {} \;
    
    echo "--- signature executables CloudCompare app ---"
    codesign -s ${SIGNATURE} -f --timestamp -i fr.openfields.CloudCompare -o runtime --entitlements "${WORKDIR}/hdapp.entitlements" "${CLOUDCOMPAREAPP}/Contents/MacOS/CloudCompare"
    # --- no entitlement: notarization error "The executable does not have the hardened runtime enabled."
    #codesign -s ${SIGNATURE} -f --timestamp -i fr.openfields.CloudCompare -o runtime "${CLOUDCOMPAREAPP}/Contents/MacOS/CloudCompare"
    
    echo "--- signature CloudCompare app ---"
    codesign -s ${SIGNATURE} -f --timestamp -i fr.openfields.CloudCompare -o runtime --entitlements "${WORKDIR}/hdapp.entitlements" "${CLOUDCOMPAREAPP}"
    # --- use same entitlement as executable: supersede the executable entitlement?
fi
